Cloud infrastructure services allow users to use networked servers or to instantiate virtual servers running software specified by the users without requiring a customer to own or manage the physical hardware, e.g., the hardware underlying virtual server instances. Cloud infrastructure services, including, for example, Amazon EC2, may enable users to instantiate a number of virtual servers of a variety of different configurations to match their needs.
After being instantiated, a script on a virtual server may attempt to perform changes to the cloud configuration, or to other servers. For example, to create a backup of files, a command to take a snapshot of the disk volume may be issued by a virtual server to an application program interface (API) for the cloud provider. The cloud provider may be a vendor selling access to servers in a cloud configuration. A subscriber may have credentials for an account used to manage resources with the cloud infrastructure service. For example, subscribers to Amazon's AWS each have an account, in Google's Compute Engine it is called a project, and in Microsoft's Windows Azure it is called a subscription. Credentials may belong to a particular user and the user may have access to multiple accounts. To perform the snapshot action, the vendor's API may require that the caller have certain credentials. If the credentials are account-wide, users may place the account credentials on all servers that need to make such API calls. This could be a security risk because the account credentials give access to everything in the account. That is, an intruder that gains access to one such machine has access to everything.
For instance, an intruder who gains access to front-end load balancing servers that are typically exposed to the public may gain access to credentials that then allow him to retrieve backup disk snapshots of back-end database servers that are otherwise well-protected. In some circumstances, this could allow the intruder to access backups, unmount storage devices from databases and mount them on the compromised load balancers, launch additional databases from which data could be mined, modify the network security policies that prevent him from directly accessing back-end servers, etc. In another example, an intruder may register a non-existent server as a load-balancing server, using account credentials.